“Github” message a scam?

About an hour ago I received an email message claiming to be from Github stating:

A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.

Thunderbird has flagged it as a scam, though it looks very credible, but the email header is a bit flaky as the email has not come from a GitHub server:

X-Original-To: adrian@newgolddream.dyndns.info
Delivered-To: adrian@newgolddream.dyndns.info
Received: from o3.newslettergrid.com (o3.newslettergrid.com [])
	by webmail.thecentreground.com (Postfix) with SMTP id 90FE4BAC449
	for <adrian@newgolddream.dyndns.info>; Wed,  7 Mar 2012 18:21:49 +0000 (GMT)

The worrying thing is that there is nothing on the github site itself to say if it is genuine or indeed a scam.

Right now I am not acting on the message.


2 responses to ““Github” message a scam?”

  1. What does the message want from you? If they want an action, it is scam.

  2. It’s marked as scam because the link https://github.com actually points to http://news.github.com/… Nevertheless, if you don’t trust the mail, just log in by visiting github.com directly.

%d bloggers like this: